Message ID | 20181018053949.4064426-3-songliubraving@fb.com |
---|---|
State | Changes Requested, archived |
Delegated to: | BPF Maintainers |
Headers | show |
Series | bpf: add cg_skb_is_valid_access | expand |
On Wed, Oct 17, 2018 at 10:39:49PM -0700, Song Liu wrote: > Tests are added to make sure CGROUP_SKB cannot access: > tc_classid, data_meta, flow_keys > > and can read and write: > mark, prority, and cb[0-4] > > and can read other fields. > > To make selftest with skb->sk work, a dummy sk is added in > bpf_prog_test_run_skb(). > > Signed-off-by: Song Liu <songliubraving@fb.com> > --- > net/bpf/test_run.c | 4 + > tools/testing/selftests/bpf/test_verifier.c | 170 ++++++++++++++++++++ > 2 files changed, 174 insertions(+) > > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c > index 0c423b8cd75c..c7210e2f1ae9 100644 > --- a/net/bpf/test_run.c > +++ b/net/bpf/test_run.c > @@ -10,6 +10,7 @@ > #include <linux/etherdevice.h> > #include <linux/filter.h> > #include <linux/sched/signal.h> > +#include <net/sock.h> > > static __always_inline u32 bpf_test_run_one(struct bpf_prog *prog, void *ctx, > struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE]) > @@ -115,6 +116,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, > u32 retval, duration; > int hh_len = ETH_HLEN; > struct sk_buff *skb; > + struct sock sk; > void *data; > int ret; > > @@ -142,6 +144,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, > kfree(data); > return -ENOMEM; > } > + sock_init_data(NULL, &sk); > + skb->sk = &sk; I was about to apply it, but it crashes as: [ 16.830822] BUG: unable to handle kernel paging request at 000000014427b974 [ 16.831363] PGD 8000000135ecf067 P4D 8000000135ecf067 PUD 0 [ 16.831792] Oops: 0000 [#1] SMP PTI [ 16.832061] CPU: 1 PID: 1965 Comm: test_verifier Not tainted 4.19.0-rc7-02550-ga76dee97ff12 #1153 [ 16.832712] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 16.833358] RIP: 0010:cmp_map_id+0x10/0x50 [ 16.835036] RSP: 0018:ffffc9000080faf8 EFLAGS: 00010246 [ 16.835429] RAX: 00000000ffffffff RBX: 0000000036069ee8 RCX: 0000000000000000 [ 16.835958] RDX: 000000014427b970 RSI: 000000014427b970 RDI: ffffc9000080fb44 [ 16.836496] RBP: 000000000000000c R08: ffffffff810f7330 R09: 0000000036069ee8 [ 16.837026] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 16.837554] R13: ffffffff810f7330 R14: 000000014427b970 R15: 000000001b034f74 [ 16.838083] FS: 00007fae50663700(0000) GS:ffff88013ba80000(0000) knlGS:0000000000000000 [ 16.838677] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.839105] CR2: 000000014427b974 CR3: 0000000135934005 CR4: 00000000003606e0 [ 16.839632] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 16.840157] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 16.840682] Call Trace: [ 16.840897] bsearch+0x50/0x90 [ 16.841144] map_id_range_down+0x81/0xa0 [ 16.841438] make_kuid+0xf/0x10 [ 16.841677] sock_init_data+0x24f/0x260 [ 16.841979] bpf_prog_test_run_skb+0x9e/0x270 I suspect sock_net_set(sk, &init_net) is necessary before sock_init_data() call.
> On Oct 17, 2018, at 11:25 PM, Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > On Wed, Oct 17, 2018 at 10:39:49PM -0700, Song Liu wrote: >> Tests are added to make sure CGROUP_SKB cannot access: >> tc_classid, data_meta, flow_keys >> >> and can read and write: >> mark, prority, and cb[0-4] >> >> and can read other fields. >> >> To make selftest with skb->sk work, a dummy sk is added in >> bpf_prog_test_run_skb(). >> >> Signed-off-by: Song Liu <songliubraving@fb.com> >> --- >> net/bpf/test_run.c | 4 + >> tools/testing/selftests/bpf/test_verifier.c | 170 ++++++++++++++++++++ >> 2 files changed, 174 insertions(+) >> >> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c >> index 0c423b8cd75c..c7210e2f1ae9 100644 >> --- a/net/bpf/test_run.c >> +++ b/net/bpf/test_run.c >> @@ -10,6 +10,7 @@ >> #include <linux/etherdevice.h> >> #include <linux/filter.h> >> #include <linux/sched/signal.h> >> +#include <net/sock.h> >> >> static __always_inline u32 bpf_test_run_one(struct bpf_prog *prog, void *ctx, >> struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE]) >> @@ -115,6 +116,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, >> u32 retval, duration; >> int hh_len = ETH_HLEN; >> struct sk_buff *skb; >> + struct sock sk; >> void *data; >> int ret; >> >> @@ -142,6 +144,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, >> kfree(data); >> return -ENOMEM; >> } >> + sock_init_data(NULL, &sk); >> + skb->sk = &sk; > > I was about to apply it, but it crashes as: > [ 16.830822] BUG: unable to handle kernel paging request at 000000014427b974 > [ 16.831363] PGD 8000000135ecf067 P4D 8000000135ecf067 PUD 0 > [ 16.831792] Oops: 0000 [#1] SMP PTI > [ 16.832061] CPU: 1 PID: 1965 Comm: test_verifier Not tainted 4.19.0-rc7-02550-ga76dee97ff12 #1153 > [ 16.832712] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 > [ 16.833358] RIP: 0010:cmp_map_id+0x10/0x50 > [ 16.835036] RSP: 0018:ffffc9000080faf8 EFLAGS: 00010246 > [ 16.835429] RAX: 00000000ffffffff RBX: 0000000036069ee8 RCX: 0000000000000000 > [ 16.835958] RDX: 000000014427b970 RSI: 000000014427b970 RDI: ffffc9000080fb44 > [ 16.836496] RBP: 000000000000000c R08: ffffffff810f7330 R09: 0000000036069ee8 > [ 16.837026] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 > [ 16.837554] R13: ffffffff810f7330 R14: 000000014427b970 R15: 000000001b034f74 > [ 16.838083] FS: 00007fae50663700(0000) GS:ffff88013ba80000(0000) knlGS:0000000000000000 > [ 16.838677] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 16.839105] CR2: 000000014427b974 CR3: 0000000135934005 CR4: 00000000003606e0 > [ 16.839632] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 16.840157] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 16.840682] Call Trace: > [ 16.840897] bsearch+0x50/0x90 > [ 16.841144] map_id_range_down+0x81/0xa0 > [ 16.841438] make_kuid+0xf/0x10 > [ 16.841677] sock_init_data+0x24f/0x260 > [ 16.841979] bpf_prog_test_run_skb+0x9e/0x270 > > I suspect sock_net_set(sk, &init_net) is necessary before sock_init_data() call. I am not able to repro this, even with CONFIG_KASAN and CONFIG_PAGE_POISONING. Let me try a better approach on this. Thanks, Song
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index 0c423b8cd75c..c7210e2f1ae9 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -10,6 +10,7 @@ #include <linux/etherdevice.h> #include <linux/filter.h> #include <linux/sched/signal.h> +#include <net/sock.h> static __always_inline u32 bpf_test_run_one(struct bpf_prog *prog, void *ctx, struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE]) @@ -115,6 +116,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, u32 retval, duration; int hh_len = ETH_HLEN; struct sk_buff *skb; + struct sock sk; void *data; int ret; @@ -142,6 +144,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, kfree(data); return -ENOMEM; } + sock_init_data(NULL, &sk); + skb->sk = &sk; skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); __skb_put(skb, size); diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index cf4cd32b6772..5bfba7e8afd7 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -4862,6 +4862,176 @@ static struct bpf_test tests[] = { .result = REJECT, .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, }, + { + "direct packet read test#1 for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, len)), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, pkt_type)), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, mark)), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6, + offsetof(struct __sk_buff, mark)), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, + offsetof(struct __sk_buff, queue_mapping)), + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, + offsetof(struct __sk_buff, protocol)), + BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, + offsetof(struct __sk_buff, vlan_present)), + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "direct packet read test#2 for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, vlan_tci)), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, vlan_proto)), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, priority)), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6, + offsetof(struct __sk_buff, priority)), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, + offsetof(struct __sk_buff, ingress_ifindex)), + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, + offsetof(struct __sk_buff, tc_index)), + BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, + offsetof(struct __sk_buff, hash)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "direct packet read test#3 for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, cb[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, cb[1])), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, cb[2])), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, + offsetof(struct __sk_buff, cb[3])), + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, + offsetof(struct __sk_buff, cb[4])), + BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, + offsetof(struct __sk_buff, napi_id)), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4, + offsetof(struct __sk_buff, cb[0])), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5, + offsetof(struct __sk_buff, cb[1])), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6, + offsetof(struct __sk_buff, cb[2])), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7, + offsetof(struct __sk_buff, cb[3])), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8, + offsetof(struct __sk_buff, cb[4])), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "direct packet read test#4 for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, family)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, remote_ip4)), + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, local_ip4)), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, remote_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, remote_ip6[1])), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, remote_ip6[2])), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, + offsetof(struct __sk_buff, remote_ip6[3])), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, local_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, local_ip6[1])), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, local_ip6[2])), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, + offsetof(struct __sk_buff, local_ip6[3])), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, + offsetof(struct __sk_buff, remote_port)), + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, + offsetof(struct __sk_buff, local_port)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "invalid access of tc_classid for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, tc_classid)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid bpf_context access", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "invalid access of data_meta for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, data_meta)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid bpf_context access", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "invalid access of flow_keys for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, flow_keys)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid bpf_context access", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { + "invalid write access to napi_id for CGROUP_SKB", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, + offsetof(struct __sk_buff, napi_id)), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9, + offsetof(struct __sk_buff, napi_id)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid bpf_context access", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, { "valid cgroup storage access", .insns = {
Tests are added to make sure CGROUP_SKB cannot access: tc_classid, data_meta, flow_keys and can read and write: mark, prority, and cb[0-4] and can read other fields. To make selftest with skb->sk work, a dummy sk is added in bpf_prog_test_run_skb(). Signed-off-by: Song Liu <songliubraving@fb.com> --- net/bpf/test_run.c | 4 + tools/testing/selftests/bpf/test_verifier.c | 170 ++++++++++++++++++++ 2 files changed, 174 insertions(+)